ansible-vault
用途
- encryption/decryption utility for Ansible data files
- 主要应用于包含敏感信息的场景,可以加密和解密敏感信息
- See 'ansible-vault
--help' for more information on a specific command.
# ansible-vault -h
usage: ansible-vault [-h] [--version] [-v]
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
...
encryption/decryption utility for Ansible data files
positional arguments:
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
create Create new vault encrypted file
decrypt Decrypt vault encrypted file
edit Edit vault encrypted file
view View vault encrypted file
encrypt Encrypt YAML file
encrypt_string Encrypt a string
rekey Re-key a vault encrypted file
optional arguments:
--version show program's version number, config file location, configured module search path, module location, executable location and exit
-h, --help show this help message and exit
-v, --verbose verbose mode (-vvv for more, -vvvv to enable connection debugging)
See 'ansible-vault <command> --help' for more information on a specific command.
常用命令
# 加密文件
ansible-vault encrypt test-vault.yml
ansible-vault encrypt test-vault.yml --vault-password-file pwdfile
# 解密文件
ansible-vault decrypt test-vault.yml
ansible-vault decrypt test-vault.yml --vault-password-file pwdfile
# 查看文件
ansible-vault view test-vault.yml
ansible-vault view test-vault.yml --vault-password-file pwdfile
# 重置文件密码
ansible-vault rekey test-vault.yml
ansible-vault rekey test-vault.yml --vault-password-file pwdfile --new-vault-password-file pwdfilenew
# 创建加密文件
ansible-vault create test-vault.yml
ansible-vault create test-vault.yml --vault-password-file pwdfile
# 编辑加密文件
ansible-vault edit test-vault.yml
ansible-vault edit test-vault.yml --vault-password-file pwdfile
# 加密字符串
ansible-vault encrypt_string 'test123456'
ansible-vault encrypt_string 'test123456' --name 'ansible_ssh_pass'
ansible-vault encrypt_string 'test123456' --name 'ansible_ssh_pass' --vault-id anliven@pwdfile
"--vault-id"选项
# 从ansible2.4版本开始,官方推荐使用"--vault-id"选项代替"--vault-password-file"选项指定密码文件
# “--vault-id prompt”功能上等同于"--ask-vault-pass"选项
# 支持同时使用多个密码文件进行解密,适用于“引用其他文件”的场景
# 可以在被加密文件中包含特定字符“做记号”
ansible-vault encrypt_string 'test123456' --name 'ansible_ssh_pass' --vault-id pwdfile # 加密字符串
ansible-vault encrypt test-vault.yml --vault-id pwdfile # 加密文件
ansible-vault encrypt test-vault.yml --vault-id anliven@pwdfile # 加密完成后的文件内容包含anliven字符
ansible-vault decrypt test-vault.yml --vault-id pwdfile # 解密文件
ansible-vault view test-vault.yml --vault-id pwdfile # 查看文件
ansible-vault edit test-vault.yml --vault-id pwdfile # 编辑文件
ansible-vault rekey test-vault.yml --vault-id pwdfile # 交互式密码重置
ansible-vault rekey test-vault.yml --vault-id pwdfile --new-vault-id pwdfilenew # 通过新密码文件重置
ansible-playbook test-vault.yml --vault-id pwdfile # 运行playbook
ansible-playbook test-vault.yml --vault-id pwdfile1 --vault-id pwdfile2 # 提供多个密码文件来解密,test-vault.yml中引用其他vault加密文件
ansible-playbook test-vault1.yml test-vault2.yml --vault-id pwdfile1 --vault-id pwdfile2 # 提供多个加密文件来解密多个文件
示例
示例-1 交互式密码
[root@test01 ansible-test]# cat test-vault.yml
- hosts: ta
gather_facts: no
tasks:
- debug:
msg: "test ansible-vault"
[root@test01 ansible-test]#
[root@test01 ansible-test]# ansible-playbook test-vault.yml
PLAY [ta] *********************************************************************************************************************************************************************************************
TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
"msg": "test ansible-vault"
}
PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[root@test01 ansible-test]#
[root@test01 ansible-test]# ansible-vault encrypt test-vault.yml
New Vault password:
Confirm New Vault password:
Encryption successful
[root@test01 ansible-test]#
[root@test01 ansible-test]# cat test-vault.yml
$ANSIBLE_VAULT;1.1;AES256
32656239643632646139633938613430326139636636333235346361643161393131396661366534
6636386331316239616632316137316266316266646432360a366366643232313033343835346638
38616331636639643731633766333335613763623636333363336238353931616263313637313834
3135656632343034340a316238656238336432386638373236653738306530383232626231333438
38666338346130333561316535353637616230633634346162303730393166396230616533396435
38346536306433653566373438303565373036663138366330313836356666656639393438396134
35333465623365636531653562363366323065316238333333353863376236373362373832633636
62613732666263306531653231353931326635303533623934633235396239613838613230323862
3134
[root@test01 ansible-test]#
[root@test01 ansible-test]# ansible-vault view test-vault.yml
Vault password:
- hosts: ta
gather_facts: no
tasks:
- debug:
msg: "test ansible-vault"
[root@test01 ansible-test]#
[root@test01 ansible-test]# ansible-playbook --ask-vault-pass test-vault.yml
Vault password:
PLAY [ta] *********************************************************************************************************************************************************************************************
TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
"msg": "test ansible-vault"
}
PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[root@test01 ansible-test]#
[root@test01 ansible-test]# ansible-vault decrypt test-vault.yml
Vault password:
Decryption successful
[root@test01 ansible-test]#
[root@test01 ansible-test]# cat test-vault.yml
- hosts: ta
gather_facts: no
tasks:
- debug:
msg: "test ansible-vault"
[root@test01 ansible-test]#
示例-2 密码文件
[root@test01 ansible-test]# echo "This-is_a#Test!2o22" > pwdfile
echo "This-is_a#Testhistoryo22" > pwdfile
[root@test01 ansible-test]#
[root@test01 ansible-test]# cat pwdfile
This-is_a#Testhistoryo22
[root@test01 ansible-test]#
[root@test01 ansible-test]# ansible-vault encrypt test-vault.yml --vault-password-file pwdfile
Encryption successful
[root@test01 ansible-test]#
[root@test01 ansible-test]# cat test-vault.yml
$ANSIBLE_VAULT;1.1;AES256
63343030376661643237653266366133313735363630353564363631376563613236383863346264
6163303562643831636237633038373265616334343234630a613466663138396334303463623665
30353632396236306435633062383864646466616261393064313633373635353633656161393266
3234326635323438610a376631323634316663313130356466306238306638613261663138333663
30363461616433643530656562313139303831346365346531303530666236373038306435636338
39666432326465313834613164356436653366656138613634303339346130353033313330303733
30643934383363333261646366396330343164393236633138383137316166643966393838396464
64323863306539333534663938393962326231373137613630623635313534356163363261626262
3765
[root@test01 ansible-test]#
[root@test01 ansible-test]# ansible-vault view test-vault.yml --vault-password-file pwdfile
- hosts: ta
gather_facts: no
tasks:
- debug:
msg: "test ansible-vault"
[root@test01 ansible-test]#
[root@test01 ansible-test]# ansible-playbook test-vault.yml --vault-password-file pwdfile
PLAY [ta] *********************************************************************************************************************************************************************************************
TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
"msg": "test ansible-vault"
}
PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[root@test01 ansible-test]#
[root@test01 ansible-test]# ansible-vault decrypt test-vault.yml --vault-password-file pwdfile
Decryption successful
[root@test01 ansible-test]#
[root@test01 ansible-test]# cat test-vault.yml
- hosts: ta
gather_facts: no
tasks:
- debug:
msg: "test ansible-vault"
[root@test01 ansible-test]#
示例-3 加密字符串
[root@test01 ansible-test]# ansible-vault encrypt_string "test123456"
New Vault password:
Confirm New Vault password:
!vault |
$ANSIBLE_VAULT;1.1;AES256
33383336353737346430653165326665393430346539376334396335336530613330643764313962
3438366538366262316666353962663564666532393333300a333934633664393262653065343864
63653361666133363862353061323238376335666165313130393664623761393033343136343265
6166663630353038380a666164643565343336373062323135643038363436343938383363303632
6230
Encryption successful
[root@test01 ansible-test]#
[root@test01 ansible-test]# vim test-encrypt_string.yaml
[root@test01 ansible-test]#
[root@test01 ansible-test]# cat test-encrypt_string.yaml
- hosts: ta
gather_facts: no
vars:
test_user: "testuser"
test_passwd: !vault |
$ANSIBLE_VAULT;1.1;AES256
33383336353737346430653165326665393430346539376334396335336530613330643764313962
3438366538366262316666353962663564666532393333300a333934633664393262653065343864
63653361666133363862353061323238376335666165313130393664623761393033343136343265
6166663630353038380a666164643565343336373062323135643038363436343938383363303632
6230
tasks:
- debug:
msg: "{{test_user}}"
- debug:
msg: "{{test_passwd}}"
[root@test01 ansible-test]#
[root@test01 ansible-test]# ansible-playbook test-encrypt_string.yaml --ask-vault-pass
Vault password:
PLAY [ta] *********************************************************************************************************************************************************************************************
TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
"msg": "testuser"
}
TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
"msg": "test123456"
}
PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[root@test01 ansible-test]#
示例-4 通过密码文件加密字符串
[root@test01 ansible-test]# ansible-vault encrypt_string "test123456" --name "test_passwd" --vault-id anliven@pwdfile
test_passwd: !vault |
$ANSIBLE_VAULT;1.2;AES256;anliven
61646130623833333634646632393432326431383864663134356530323536663165303061313661
3365343837623564343037663236316635666565613730350a393731646238376638363365363561
35383465336137313134306363363139386537633839393363653465333161303634313832383136
3038326464613935350a383565343261363833333631663862336464303538323561363237326637
3431
Encryption successful
[root@test01 ansible-test]#
[root@test01 ansible-test]# vim test-encrypt_string.yaml
[root@test01 ansible-test]# cat test-encrypt_string.yaml
- hosts: ta
gather_facts: no
vars:
test_user: "testuser"
test_passwd: !vault |
$ANSIBLE_VAULT;1.2;AES256;anliven
61646130623833333634646632393432326431383864663134356530323536663165303061313661
3365343837623564343037663236316635666565613730350a393731646238376638363365363561
35383465336137313134306363363139386537633839393363653465333161303634313832383136
3038326464613935350a383565343261363833333631663862336464303538323561363237326637
3431
tasks:
- debug:
msg: "{{test_user}}"
- debug:
msg: "{{test_passwd}}"
[root@test01 ansible-test]#
[root@test01 ansible-test]# ansible-playbook test-encrypt_string.yaml --vault-id pwdfile
PLAY [ta] *********************************************************************************************************************************************************************************************
TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
"msg": "testuser"
}
TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
"msg": "test123456"
}
PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[root@test01 ansible-test]#
标签:加密,--,ansible,解密,Ansible,test,vault,test01,root From: https://www.cnblogs.com/anliven/p/16850607.html